Consumers use the services provided by the World Wide Web to perform confidential transactions such as personal banking, share dealing, buying goods on-line or launching other services from within a portal environment.
A user can access these services over a network communicating with servers located throughout the world for obtaining information. The information is stored on servers and delivered to the user's application from a server by sending files or data packets to the requesting client application from the network server resources.
When performing such transactions on line consumers are concerned about the privacy and security of their information. In particular the use of shared computers by a number of different users at the same location increases these concerns as confidential information is on display in open application windows for other users to view.
When a number of users share the same computer it is possible that a user may not log off or shut down their application correctly and leave sensitive, confidential or personal information on display in open application windows for a subsequent user to view. The information contained in the open application windows could be used by another user to gain unauthorized access to another persons' bank accounts, share-dealing accounts or credit card details. This is a particular problem for network applications accessing confidential information on-line. The security concerns can mostly be mitigated by explicit session management.
Hypertext Transfer Protocol - HTTP, which defines the ways in which network applications interact with network servers; performs session management. HTTP is a ‘request-reply’ protocol in which the client sends a request message to the server containing the URL of the required resource. The server looks up the pathname and, if it exists, sends back the file's content in a reply to the client. HTTP allows for content negotiation and authentication.
Authentication involves a user entering a password; on first attempt to access a password protected area, the server reply contains a challenge applicable to that resource, for example a digital signature. When it receives the challenge, the client prompts the user to type a name and password and submits associated credentials with subsequent requests.
However the need to establish and close a connection for every request-reply exchange is expensive, both in overloading the server and in sending too many messages over the network. Persistent connections are used that remain open over a series of request reply exchanges between client and server. A persistent connection can be closed by a client or server at any time by sending an indication to the other participant. Servers may be configured to close a persistent connection when it has been idle for a period of time. If an application over a network has been idle for some time then the connection will time out and the user will be required to re-enter their authentication details into the application.
Session management can therefore be useful to stop an unauthorized user gaining access to a variety of different applications that a user may be logged on to, but session management does not provide management of windows and consequently an unauthorized user will be able to view any confidential information on display in an open application window.
Where an explicit log off has not occurred in the application window there are a number of design implications that can be considered when designing the user interface with regards to the management of windows. Broadly these fall into the following categories which are; not launching any further application windows, only launching a single application window at a given time in an application window that exhibits modal behavior, or closing the application's home page window by using the application's File—Exit route or an operating system provided function such as the ‘X’ icon or task manager.
One method of providing the management of windows in an application is to use an interpreted client side programming language to provide the required functionality. Using an interpreted client side programming language such as JavaScript, the management of windows is limited to creating new application windows with defined properties of height, width, color and style. A client side programming language such as JavaScript uses what are known as ‘modal windows’ to obtain user feedback as to whether to perform specified operations. A typical modal window contains one or more buttons yes, no, cancel or okay and a question prompting the user, for example ‘Do you wish to close this application?’. A modal window will not go away until a user clicks on the yes, no, cancel or okay button.
Modal application windows that are provided by client side code have their limitations, for example when using the showModalDialog( ) function in JavaScript. The showModialDialog( ) function creates a separate pop up application window displaying the html page of a given URL. The application window allows the user to address the data of that application window before returning to the parent application window.
The showModalDialog( ) function is Internet Explorer® browser specific and provides no support for the Netscape® browser or the W3C Document Object Model. The showModalDialog( ) function creates a completely standalone application window which has no scriptable relationship with the launching application window. On the Macintosh® operating system platform it is not possible to set the width, height and color properties.
The onFocus( ) function in the parent window enables the selection of the parent application window and captures the event generated by the onFocus( ) function. The onFocus( ) function carries out a check to determine whether the launched application window exists. The onFocus event handler executes the specified JavaScript code or function on the occurrence of an onFocus( ) generated event. The onFocus event occurs when a window, frame or form element is given focus by the user. The onFocus( ) function works in the Internet Explorer® browser and the Netscape 4.xx® browser, the Macintosh® and the LINUX® platforms.
A disadvantage of this function is the inability to minimize the modal window in the Microsoft Windows® operating system. The function can be fatal in the Netscape 6® browser. When the close button on the parent application window is selected and the modal application window is open the parent window is closed leaving the modal application window open.
The repeated calling of the self.focus( ) function in a child application window, allows a timer to start when a document is loaded into the application window. The timer rapidly and repeatedly calls the self.focus( ) function on the launched window. A disadvantage of implementing the self.focus( ) function is that it is modal to all other applications and the function cannot access other launched application windows, because there does not exist a scriptable relationship between the application window and the modal window. The self.focus( ) function can also close the launched application window via the operating system function calls; thereby leaving the launched window open, which potentially could contain a transactional application in an invalid session.
The onFocus( ) or onClick( ) function in the parent window calls the onOpenedWindow( ) function. Focusing or clicking on the parent application window calls a check for the existence of a launched application window. If the check returns true then the launched application window is brought forward by windowname.focus( ) function. The windowname.focus( ) function has the disadvantage that it does not produce consistent results in the Internet Explorer 4® browser.
Compatibility problems are a major consideration when creating applications using an interpreted client side language. Different applications support different levels of HTML and the amount of JavaScript functionality that an application can support depends on the interpreter in the application.
Another method of closing opened application windows is by a system provided function such as the ‘X’ icon on the application task bar, the task manager or by the use of the File/Exit on the menu bar. Although this closes the opened application window it provides no automation of the close action of any network or non-network application window launched from within the initial application window and relies on the user to perform the action.